Encryption Bug in SIM Card Can be Used to Hack Millions of Phones

A flaw in the encryption technology used by some SIM cards in mobile devices can be exploited to take control of the device, a German researcher has found.

A flaw in the encryption technology used by some SIM cards in mobile devices can be exploited to take control of the device, a German researcher has found.

The vulnerability would allow attackers to send spoofed text messages to obtain the 56-bit data encryption standard (DES) key used by the targeted phone's SIM card, Karsten Nohl, founder of Berlin's Security Research Labs, told the New York Times and Forbes. With the key in hand, attackers would be able to install malicious software and perform other nefarious operations on the device. More details will be revealed during his presentation at the Black Hat conference in Las Vegas later this month.

About half of the SIM cards in use today still rely on the older DES encryption rather than the newer and more secure triple-DES, Nohl estimated. Over a two-year period, Nohl tested 1,000 SIM cards in Europe and North America and found that a quarter of them were vulnerable to attack. He believed that as many as 750 million phones may be affected by this flaw.

"Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it," Nohl told Forbes.

Description of AttackCarriers can send text messages for billing purposes and to confirm mobile transactions. Devices rely on digital signatures to verify the carrier is the one sending the message. Nohl sent out fake messages pretending to be from the mobile carrier containing a false signature. In three-quarters of messages sent to mobile phones using DES, the handset correctly flagged the fake signature and terminated the communication. However, in a quarter of cases, the handset sent an error message back and icluded its encrypted digital signature. Nohl was able to derive the SIM's digital key from that signature, Forbes reported.

"Different shipments of SIM cards either have [the bug] or not," Nohl told Forbes. "It's very random," he said.

With the SIM key in hand, Nohl could send another text message to install software on the targeted phone to perform a wide range of malicious activities, including sending out text messages to premium-rate numbers, eavesdropping on calls, re-directing incoming calls to other numbers, or even carry out payment system fraud, according to Forbes. Nohl claimed the attack itself took him only a few minutes to carry out from a PC.

"We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account," Nohl told the New York Times.

Fix Underway?

Nohl has already disclosed the vulnerability to the GSM Association, a mobile industry group based in London. GSMA had already notified network operators and SIM vendors who could be affected. "A minority of SIMS produced against older standards could be vulnerable," the group's spokesperson told The New York Times.

The International Telecommunications Union, a United Nations group, told Reuters the research was "hugely significant," and that the group will be notifying telecommunications regulators and other government agencies in nearly 200 countries. ITU will also reach out to mobile companies, academics and other industry experts, Reuters reported.

With the information about vulnerability now public, cyber-criminals will likely take at least six months to crack the flaw, Nohl said. This will give carriers and the rest of the wireless carriers time to implement the fixes.

Nohl told Forbes the industry should use better filtering technology to block spoofed messages and to phase out SIM cards using DES. Consumers using SIM cards more than three years old should request new cards (likely using triple-DES) from their carriers, Nohl recommended.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »